The Orange Book: The Easy guide to Managing Risks in the Public Sector

Context: This article is a guide to The Orange Book. Published by HM Treasury, it outlines how to manage risks in the delivery of public services and change activities. It gives guidance on keys roles and responsibilities, and a Framework on how to manage risks and deliver effective risk management practises.

The realm of public sector guidance, with its intricate details and nuances, can often seem overwhelming. This guide aims to simplify that landscape, offering a streamlined and accessible approach to the essential principles of public sector risk management.

Recognising the complexity inherent in the original Treasury sponsored guidance, we’ve crafted this guide to be hopefully clear and easier to consume. By translating technical jargon into straightforward language, we aim to make the principles of risk management more approachable, without compromising on the depth of information. The Orange Book is published under the “Open Government Licence”, and this work is recognises the extensive use of this reference material. All original content is owned by the copyright owners.

Whether you’re an experienced professional in the public sector or someone just beginning to delve into risk management, this guide is designed to help you understand and mature your risk approach.

Background to The Orange Book

The Orange Book is your essential guide to managing risks in the public sector. Designed for those involved in the creation, operation, and delivery of public services, it’s a comprehensive resource that aims to enhance your planning and decision-making abilities.

The Orange Book isn’t just a reference; it’s a dynamic tool that public sector organisations can wield to sharpen their strategic planning, reach their goals, and fortify their ability to tackle challenges head-on. But it doesn’t stop at managing risks after the fact. Instead, it encourages you to dive into the uncertainties, explore various options, and make realistic assessments of risks tied to your projects and programmes.

From the birth of a policy or project to its implementation, and all the way through to the daily grind of delivering public services, the Orange Book helps guide your decisions. It’s not just about avoiding pitfalls; it’s about enhancing service delivery and squeezing the most value out of each and every investment. By weaving effective risk management into the very fabric of how public sector organisations function, the Orange Book helps turn good intentions into great results.

The Orange Book has seen several updates and revisions since its first publication in May 2013. It was updated in July 2019 and then subsequently in Feb 2020. Several additional documents were added to the collection over time, enhancing the scope. On October 2020, the Risk Appetite Guidance Note was added, followed by the ‘Risk Management Skills and Capabilities Framework’ publication in August 2021. A ‘Good Practice Guide: Risk Reporting’ was added to the collection in 2021.

The most recent updates were made in May 2023, with a new edition and a new annex, ‘Portfolio Risk Management Guidance’.

Introduction

In the fast-paced world of public service, risk management isn’t just a safety net; it’s a trampoline to success. It’s about sharpening strategies, hitting targets, and dancing through challenges with grace. As our world grows more complex and demands for transparency soar, risk management isn’t just keeping up; it’s leading the way.
The Orange Book is made up of two distinct parts :-

• Part I: Principles and Concepts — Part 1 is your guide to elevating risk management and making it a natural part of your daily operations.
• Part II: Control and Assurance — Part II lays down a structure to help you master risk control, categorising high-level requirements and ensuring you’re on the right track.

“A Dance, Not a Duel”

Public Sector organisations can’t shy away from risk; they must embrace it. It’s in every step towards delivering top-notch services. It’s not about dodging bullets but taking a balanced view, evaluating options, and managing impacts. It’s about realism, effectiveness, and integration into everything we do.

Collaboration, Collaboration, Collaboration

Risk management isn’t a solo act; it’s a symphony. It thrives on openness, transparency, challenge, and collaboration. It invites scrutiny, welcomes expertise, and constantly learns from experience. It’s not just about rules; it’s about people, attitudes, and continuous growth.

Scope

The Orange Book is tailored for all government departments and public bodies; its principles resonating across the UK public sector, being adaptable to many different contexts.

Purpose

The Orange Book is for everyone steering the ship of efficient, trusted public services. From accounting officers to board members, risk practitioners to senior leaders, policy leads to project SROs — the Orange Book is the compass, and guide to navigating the seas of public service.

The Orange Book and ISO31000, MoR, P3M3 Frameworks

The Orange Book, while a standalone guide for risk management in the public sector, shares common principles with several internationally recognised risk management and project management frameworks. These include ISO31000, the Management of Risk (MoR) process, and the Portfolio, Programme, and Project Management Maturity Model (P3M3).

• ISO31000: This is an international standard for risk management that provides principles and guidelines. The Orange Book aligns with ISO31000 in its emphasis on the systematic identification, assessment, and management of risks. Both guides stress the importance of integrating risk management into all organisational processes and the need for a tailored approach that fits the specific context of each organisation.
• Management of Risk (MoR): MoR is a framework for risk management developed by AXELOS. It provides a route map for risk management, bringing together principles, an approach, a set of processes, and pointers to more detailed sources of advice on risk management techniques and specialisms. The Orange Book and MoR share a common focus on the principles of risk management and the need for a systematic approach to identifying, assessing, and managing risks.
• P3M3: The P3M3 framework is a management maturity model looking across an organisation at how it delivers its projects, programmes and portfolio. P3M3 allows an assessment of the process employed, the competencies of people, the tools deployed and the management information used to manage and deliver improvements. The Orange Book complements the P3M3 framework by providing a risk management perspective that can enhance the organisation’s maturity in managing risks across its projects, programmes, and portfolio.

In summary, while the Orange Book is a standalone guide for risk management in the public sector, it aligns well with these other frameworks. By understanding these relationships, organisations can leverage the strengths of each to enhance their overall risk management approach.

The Orange Book Main Principles

The Orange Book sets out main and supporting principles for risk management in government. The main principles are mandatory requirements and form the core of the document. They provide the “what” and the “why”, not the “how”, for the design, operation, and maintenance of an effective risk management framework.

There are five main principles,

• A. Governance and Leadership: emphasises the importance of strong governance and leadership in managing risks. It outlines the roles and responsibilities of the board, the accounting officer, and the Audit and Risk Assurance Committee.
• B. Integration: focuses on the integration of risk management into the organisation’s operations. It highlights the need for risk management to be an integral part of informed decision-making.
• C. Collaboration and Best Information: underscores the importance of collaboration and the use of the best available information in managing risks. It promotes transparency, constructive challenge, and cooperation.
• D. Risk Management Processes : details the processes involved in risk management. It emphasises the need for a systematic approach to identifying and managing uncertainties.
• E. Continual Improvement: highlights the importance of continual learning and improvement in risk management. It encourages organisations to learn from experience and continually improve their risk management capabilities.

The Orange Book emphasises that risk management should not be about adding new processes; instead, it should ensure that effective risk management is integrated into the way organisations lead, direct, manage, and operate. It also stresses the importance of a risk culture that embraces openness, supports transparency, and welcomes constructive challenge.

Definitions

The Orange Book provides some definitions, which are helpful in providing context, language and consistency of understanding.

• Governance : Governance refers to the system by which organisations are directed and controlled. It plays a pivotal role in defining account-abilities, relationships, and the distribution of rights and responsibilities among those involved in the organisation. Governance not only determines the rules and procedures through which the organisation’s objectives are set but also provides the means to achieve those objectives and monitor performance. A crucial aspect of governance is the establishment, support, and oversight of the risk management framework.
• Risk Management : Risk Management encompasses the coordinated activities that are designed and operated to manage risk and exercise internal control within an organisation. It’s a systematic approach to identifying, assessing, and managing potential threats or opportunities that could impact the achievement of an organisation’s objectives.
• Risk : Risk is defined as the effect of uncertainty on objectives. It’s typically expressed in terms of its causes, potential events, and their consequences. A cause is an element, which, either alone or in combination, has the potential to give rise to risk. An event, on the other hand, is an occurrence or change in a set of circumstances. This can be something expected that doesn’t happen or something unexpected that does. Events can be triggered by multiple causes and can lead to multiple consequences, affecting various objectives. The consequences of an event are the outcomes that impact objectives. These consequences can be certain or uncertain, positive or negative, and can have direct or indirect effects on objectives. They can also escalate, leading to cascading and cumulative effects.

When we talk about risks, it’s essential to pinpoint the root causes rather than just the potential outcomes or symptoms. For instance, instead of merely stating the negative outcomes, it’s crucial to understand what might lead to those outcomes. Also, defining risks as merely the failure to meet objectives can be an oversimplification.

When evaluating the potential outcomes of risks, organisations often consider various factors, including financial implications, reputation damage, legal issues, safety concerns, and more. It’s vital to regularly review and adjust these criteria to ensure they remain relevant. When determining the severity of a risk, always consider the worst-case scenario that seems most plausible.

Analysing Risks

Risk analysis involves assessing the likelihood of a particular risk occurring and the potential consequences if it does. This likelihood can be determined in various ways, whether through objective data, subjective judgement, or a mix of both.

When analysing risks, consider:

• The reliability of the information at hand.
• The inter-connected-ness and complexity of various factors.
• Time-related aspects and potential changes over time.
• The efficiency of existing measures to control the risk.

Internal Control: Managing Risks

Internal control refers to the comprehensive set of tools, policies, and procedures designed to manage and mitigate risks. These controls are deeply embedded in an organisation’s operations and are influenced by the organisation’s culture and behaviours.

If a risk level is deemed too high, even after implementing internal controls, the organisation should take additional steps to manage that risk. This could involve introducing preventive measures, setting clear directives, detecting issues early, or implementing corrective actions. The process is iterative, meaning it involves:

• Setting up and implementing controls.
• Evaluating how effective these controls are.
• Deciding if the remaining risk, after controls are in place, is acceptable.
• If the risk remains too high, revisiting and enhancing the controls.

It’s essential to understand that no internal control system is foolproof. Even the best-designed controls might not yield the expected results and can sometimes introduce new risks that need addressing.

Assurance

Assurance can be thought of as the bedrock of confidence in an organisation’s activities. It’s the trust we place in the information provided by an organisation, believing that its operations are conducted successfully, that its internal controls are both efficient and effective, that it complies with all necessary regulations, and that the information it provides is both insightful and trustworthy.

However, the strength of this confidence isn’t constant. It can waver when there are doubts about the accuracy of the information or the reliability of the processes that produced it. Think of assurance as a spotlight: when it shines brightly on clear, objective, and credible information, confidence is high. But if the light dims, casting shadows of uncertainty, confidence can quickly erode. The goal, then, is to ensure that the assurance spotlight remains bright, illuminating the organisation’s activities with clarity and trustworthiness.

Principle A: Governance and Leadership

Risk management is a crucial part of governance and leadership. It’s the backbone of how an organisation is steered, managed, and controlled at all levels. In simpler terms, it’s like the captain of a ship, guiding the organisation through calm and stormy waters alike.

“Governance and Leadership” is broken down into 10 supporting principles :-

A1: Tailored Governance

• Every public sector organisation should set up governance structures that fit its unique needs, size, and culture. It’s like choosing the right outfit — it has to fit well and reflect who you are. People’s behaviour and culture greatly affect risk management at every level and stage. The accounting officer, like a good teacher, should make sure that the right values and behaviours are well understood and followed by everyone.

A2: Leadership Assessment

• The accounting officer, with the board’s help, should regularly check if the leadership style, opportunities for discussion, and HR policies support the desired risk culture. They should encourage good behaviour and discourage the bad. If things aren’t going as planned, they should make corrections and ensure that the desired risk culture and behaviours are promoted.

A3: Strategic Risk Management

• The board should decide on the style and quality of risk management. They should lead in assessing and managing opportunities and risks. They should understand the main risks the organisation faces and how much risk they’re willing to take to achieve their goals. Good risk management should support informed decision-making, ensure confidence in responding to risks, and provide transparency about the main risks faced and how they’re managed.

A4: Clear Roles and Responsibilities

• The board should make sure that everyone knows their role in risk management. This helps in making effective decisions and knowing when to escalate, combine, or delegate tasks. The accounting officer should make sure that roles and responsibilities are well understood and followed by everyone.

A5: Regular Risk Reviews

• The board should regularly review how management is responding to the main risks. Risk should be considered regularly as part of the normal flow of information about the organisation’s activities and in significant decisions on strategy, major new projects, and other prioritisation and resource allocation commitments.

A6: Balanced Risk Reports

• Regular reports to the board should provide a balanced assessment of the main risks and the effectiveness of risk management. The accounting officer, supported by the Audit and Risk Assurance Committee, should monitor the quality of the information they receive and ensure that it is sufficient to allow effective decision-making.

A7: Tailored Risk Management Approach

• The accounting officer, supported by the Audit and Risk Assurance Committee, should establish the organisation’s overall approach to risk management. The risk management framework should be periodically reviewed to ensure it remains effective and suitable for the organisation.

A8: Designated Risk Leader

• The accounting officer should appoint a senior individual to lead the organisation’s overall approach to risk management. This person should be involved in and influence governance and decision-making forums and establish effective communication with the accounting officer, senior management, the board, and the chair of the Audit and Risk Assurance Committee.

A9: Resource Allocation

• The accounting officer should ensure the allocation of appropriate resources for risk management. This can include people, skills, experience, and competence.

A10: Demonstrated Leadership Commitment

• The accounting officer, supported by senior management, must show leadership and articulate their ongoing commitment to risk management. They should develop and communicate a policy or statement to the organisation and other stakeholders, which should be periodically reviewed.

Principle B: Integration

Risk management should be a part of all organisational activities. It’s like a secret ingredient in a recipe that makes everything work together to achieve the desired outcome.

The “Integration” Principle is broken down into 5 supporting principles :-

B1: Embedded Risk Management

• Risk management should be a part of everything an organisation does. It should be involved in setting strategies and plans, evaluating options, prioritising resources, managing performance, managing assets, and improving outcomes. The accounting officer, with the help of senior management, should make sure that risks are transparent and considered in every decision-making process.

B2: Effective Appraisal

• Effective appraisal helps to assess the costs, benefits, and risks of different ways to achieve objectives. When conducting an appraisal, risks should be identified and analysed in the design and implementation of options. This analysis should provide the foundation to understand the risks arising through chosen options and how these will be managed.

B3: Delivery Confidence

• Confidence in delivery should be supported by clearly identifying the main risks faced and how those risks will be managed within business and financial plans. It’s like having a clear road-map for a journey, knowing the potential obstacles and how to navigate them.

B4: Horizon Scanning and Scenario Planning

• The board and those setting strategy and policy should use horizon scanning and scenario planning to identify and consider emerging risks, threats, and trends. It’s like using a telescope to look into the future, anticipating what might come and preparing for it. The Government Office for Science ensures that government policies and decisions are informed by the best scientific evidence and strategic long-term thinking.

B5: Public Protection and Assurance

• The government has a role in protecting and assuring the public. This includes taking cost-effective action to reduce risk to a tolerable level and providing accurate and timely information about risks to the public. Policy leads should involve the public, understand their concerns, and communicate good information about risk. The government will be open and transparent about its understanding of risks to the public and about the process it is following in handling them. Decisions for intervention will be based on relevant evidence, including expert risk assessment. Responsibility for managing risks will be placed on those best able to control them.

Principle C: Collaboration and Best Information

Risk management should be a team effort, informed by the best available information and expertise. It’s like a group project where everyone brings their best knowledge and skills to the table.

“Collaboration and Best Information” is broken into 6 supporting principles;-

C1: Comprehensive Risk Management

• The accounting officer, with the help of the Audit and Risk Assurance Committee, should establish risk management activities that cover all types of risks. This requires collaboration and cross-organisational working through a range of public sector, private sector, and third-sector partnerships. The risk management framework should provide a comprehensive view of the risk profile to support governance and decision-making.

C2: Partnership with Arm’s Length Bodies

• Government departments often sponsor arm’s length bodies, which they are ultimately responsible for, while allowing a degree of independence. Effective relationships and partnership working between departments and arm’s length bodies are critical. The principal accounting officer should consider the organisation’s overall risk profile, including the risk management within arm’s length bodies.

C3: Systematic Risk Management

• Risk management processes should be conducted systematically, iteratively, and collaboratively, drawing on the knowledge and views of experts and stakeholders. Information and perspectives should be supplemented by further enquiry as necessary and should reflect changes over time.

C4: Stakeholder Consultation

• Those assessing and managing risks should consult with appropriate external and internal stakeholders. Communication should be continual and iterative, supporting dialogue, providing and sharing information, and promoting awareness and understanding of risks.

C5: Communication and Consultation

• Communication and consultation should help stakeholders understand the risks faced, the basis on which decisions are made, and the reasons why particular actions are required and taken. It should bring together different functions and areas of professional expertise in the management of risks and build a sense of inclusiveness and ownership among those affected by risk.

C6: Functional Integration

• Functions within and across organisations should play an integral part in identifying, assessing, and managing the range of risks that can arise and threaten successful delivery against objectives. Function leads should provide expert judgement to advise the accounting officer on various aspects, including setting strategies and plans, evaluating programmes, projects and policy initiatives, prioritising resources, identifying and assessing risks, determining the risk appetite, designing and operating internal controls, and driving innovation and improvements.

Principle D: Risk Management Processes

Risk management processes should be structured and include risk identification and assessment, risk treatment, risk monitoring, and risk reporting. It’s like a well-organised toolbox, where each tool has a specific purpose and place.

Principle D “Risk Management Processes” is broken down into 16 supporting principles

D1: Systematic Risk Management

• The accounting officer, supported by their nominated individual responsible for leading the organisation’s overall approach to risk management, should ensure the adequate design and systematic implementation of policies, procedures and practices for risk identification and assessment, treatment, monitoring and reporting.

D2: Risk Identification

• Risk identification activities should produce an integrated and holistic view of risks. The aim is to understand the organisation’s overall risk profile. Risks should be identified whether or not their sources are under the organisation’s direct control.

D3: Risk Assessment

• Risk assessment, which incorporates risk analysis and risk evaluation, is necessary to evaluate the significance of identified risks to support decision-making.

D4: Risk Analysis

• Risk analysis is to support a detailed consideration of the nature and level of risk. The risk analysis process should use a common set of risk criteria to foster consistent interpretation and application in defining the level of risk.

D5: Analysis Techniques

• Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of evidence and the resources available. Limitations and influences associated with the information and evidence bases used should be explicitly considered.

D6: Risk Evaluation

• Risk evaluation should involve comparing the results of the risk analysis with the organisation’s risk appetite to determine where and what additional action is required.

D7: Risk Treatment

• Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in enhancing the achievement of objectives against the costs, efforts or disadvantages of proposed actions.

D8: Treatment Implementation

• As part of the selection and development of risk treatments, the organisation should specify how the chosen option(s) will be implemented, so that arrangements are understood by those involved and effectiveness can be monitored.

D9: Contingency Planning

• Where appropriate, contingency, containment, crisis, incident and continuity management arrangements should be developed and communicated to support resilience and recovery if risks crystallise.

D10: Risk Monitoring

• Monitoring should play a role before, during and after implementation of risk treatment. Ongoing and continuous monitoring should support understanding of whether and how the risk profile is changing and the extent to which internal controls are operating as intended.

D11: Monitoring and Review

• The results of monitoring and review should be incorporated throughout the organisation’s wider performance management, measurement and reporting activities.

D12: Integrated Risk Management

• The “three lines model” sets out how these aspects should operate in an integrated way to manage risks, design and implement internal control and provide assurance through ongoing, regular, periodic and ad-hoc monitoring and review.

D13: Risk Reporting

• The board, supported by the Audit and Risk Assurance Committee, should specify the nature, source, format and frequency of the information that it requires. Factors to consider for reporting include differing stakeholders and their specific information needs and requirements, cost, frequency and timeliness of reporting, method of reporting, and relevance of information to organisational objectives and decision-making.

D14: Information for Decision-Making

• The information should support the board to assess whether decisions are being made within its risk appetite to successfully achieve objectives, to review the adequacy and effectiveness of internal controls, and to decide whether any changes are required.

D15: Informative Reports

• Clear, informative and useful reports or dashboards should promote key information for each principal risk to provide visibility over the risk, compare results against key performance/risk indicators, indicate whether these are within risk appetite, assess the effectiveness of key management actions and summarise the assurance information available.

D16: Deep Dive Reviews

• Principal risks should be subject to “deep dive” reviews by the board and/or Audit and Risk Assurance Committee, with those responsible for the management of risks and with appropriate expertise present at an appropriate frequency depending on the nature of the risk and the performance reported.

Principle E: Continual Improvement

Risk management should be continually improved through learning and experience. It’s like a cycle of learning, where we learn from our past, apply it to our present, and improve our future.

“Continual Improvement” is broken down into 4 supporting Principles ;-

E1: Adapt and Improve

• The organisation should continually monitor and adapt the risk management framework to address external and internal changes. The organisation should also continually improve the suitability, adequacy and effectiveness of the risk management framework. This should be supported by the consideration of lessons based on experience and, at least annually, review of the risk management framework and the performance outcomes achieved.

E2: Learn from Experience

• All strategies, policies, programmes and projects should be subject to comprehensive but proportionate evaluation, where practicable to do so. Learning from experience helps to avoid repeating the same mistakes and helps spread improved practices to benefit current and future work, outputs and outcomes. Lessons should be continually captured, evaluated and action should be taken to manage delivery risk and facilitate continual improvement of the outputs and outcomes.

E3: Use Maturity Models

• Process/capability maturity models or continuum may be used to support a structured assessment of how well the behaviours, practices and processes of an organisation can reliably and sustainably produce required outcomes. These models may be used as a benchmark for comparison and to inform improvement opportunities and priorities.

E4: Develop Improvement Plans

• As relevant gaps or improvement opportunities are identified, the organisation should develop plans and tasks and assign them to those accountable for implementation. This is like creating a to-do list for improvement, where each task is assigned to the person best suited to complete it.

Summary : The Orange Book Principles

The Orange Book Risk Management Framework

The Risk Management Framework provides a structured approach to risk management. It is designed to ensure that principles related to risk control are consistently understood and applied across all organisational activities. This framework is not intended to be prescriptive about how organisations should control risk but provides guidance on what should be considered and why.

Accounting Officers: Roles and Responsibilities

Accounting officers, as the senior executive officials in each public sector organisation, are responsible for ensuring organisational compliance with existing rules and guidance, including Functional Standards. Each year, they sign statements acknowledging their responsibilities and providing assurance on the adequacy of internal controls. Their responsibilities support the achievement of their organisations’ policies, aims, and objectives while safeguarding quality standards and public funds, as well as meeting high standards of public conduct. The Risk Control Framework does not change accounting officer responsibilities but should make it easier for accounting officers, their management teams, functional leaders, audit and risk assurance committees, and boards to demonstrate that these responsibilities are being discharged appropriately.

Application of the Framework

The Risk Control Framework (RCF) is a versatile tool that serves various purposes across different scenarios. It’s like a Swiss Army knife for organisational risk management, offering a consistent structure and assurance across multiple facets. Here’s how it can be applied:

• Understanding Organisational Risk Management: Accounting officers can use the RCF to gauge how well risk management is designed and implemented within their organisation.
• Assistance by Risk/Assurance Functions: Those who provide oversight, advice, or assurance can utilise the RCF to support accounting officers.
• Consistency for Internal Auditors: It offers a uniform structure for audit planning and reporting results.
• Assurance for Internal Audit and ARACs: The RCF provides assurance on internal controls and aids in crafting the Annual Governance Statement.
• Uniform View Across Government: It can be employed by others seeking a consistent perspective on internal control, regardless of the specific methods used by individual organisations.
• Understanding Risk Management Contributions: The RCF helps in comprehending how risk management contributions function in the overall context.

Whether it’s about understanding, assisting, assuring, or providing a consistent view, the RCF is a valuable asset that adapts to various needs and purposes.

Governance and the Risk Control Framework (RCF)

Governance within government is a dynamic landscape, with various control frameworks that are as diverse as they are essential. It’s like a living organism that constantly evolves, adapting to new risks and changing controls. Here’s how the RCF plays a vital role in this ever-changing environment:

• Adaptation to Change: In a world where risks are continually emerging and systems are evolving, the RCF acts as a stabilising force. It ensures that procedures and policies are regularly reviewed and updated, keeping them fit for purpose.
• Structure and Confidence: By providing structure to existing requirements, the RCF helps accounting officers feel confident in their control activities. It’s like a well-organised blueprint that guides prioritisation and improvements.
• Strengthening Decision Making: The RCF supports the management of risks, allowing for more informed and robust decision-making. It’s a tool that empowers accounting officers to fulfil their duties with greater insight and precision.
• Enabling Better Outcomes: With more effective control, the RCF allows for a higher level of risk-taking when desired. It’s like having a safety net that enables better results from given resources or achieving the same with less, leading to more efficient risk management.

In essence, the RCF is not just a framework; it’s a governance partner that adapts, structures, strengthens, and enables, ensuring that control activities across government are not only effective but also efficient.

Structure of the Risk Control Framework (RCF)

The Risk Control Framework (RCF) encompasses all controls relevant to government organisations. This includes operational local controls, functional standards, and other guidance/codes and standards. The RCF is a part of the broader risk management framework used in Government. outlined in Part I of the Orange Book.

The RCF is structured around four interconnected Pillars, each with key sub-components, and an underlying requirement across the entire RCF of the ‘three lines model’. Each of these related (and sometimes overlapping) pillars, along with the mandatory and non-mandatory requirements that sit behind them, are detailed in the Assurance Tool. The following framework diagram is useful when considering the comprehensiveness of control-related activity in organisations.

• Pillar 1: Governance and Management Framework: Every organisation should have a governance framework that complies with expected standards of conduct, efficiency requirements, and transparency in delivery.
• Pillar 2: Roles and Account-abilities: Roles and account-abilities should be clearly defined and assigned to individuals with appropriate seniority, skills, and experience. Everyone needs to understand their roles and responsibilities in managing their organisation’s risks and controls and in discharging their duties.
• Pillar 3: Strategy, Planning & Reporting: Public Sector organisations should adopt short, medium, and long-term approaches to planning. In doing so, they should ensure that risks to strategy and business objectives are visible and effectively mitigated. Performance and risk reporting should be designed and operated to inform and enable effective risk-based decision-making.
• Pillar 4: Standards, Policies & Procedures: Decisions should be made and implemented in a timely manner in accordance with the organisation’s governance and management framework (including financial management controls and delegations of authority), government policy and regulations, and the organisation’s strategy. Local organisational processes should have appropriate controls attached to them, reflecting the scale, nature, and complexity of the organisation.

Underpinning all the pillars is the effective culture and operation of the ‘Three Lines Model’, including the provision of appropriate assurance.

The RCF is built from legislation, existing codes/guidance/rules created centrally as high “entity” level controls across government. These high-level requirements (which can be aligned to the pillars of the RCF) should inform local assessments at various levels with the potential to be aggregated. Inside departments/other organisations, other local requirements (high level/entity codes/guidance/rules) may exist. Where they do, they should also inform local assessments. At local organisation unit/process/sub-process/other levels, individual risks and controls will be identified and assessed reflecting the higher-level control requirements and local control needs.

The RCF does not affect the principles of the Orange Book but is intended to provide greater clarity on elements of control. Categories (pillars) and sub-categories (blocks) of the RCF can relate to one or more components of the Orange Book and this mapping is illustrated in the diagram on Pg 35 which should help when users wish to consider controls through either the Part II (RCF) categories or the Part I principles.

Assurance

Assurance, in the context of the Risk Management Framework (RCF), is a vital tool that supports organisations in identifying and managing their most significant risks. It provides a comprehensive snapshot of the potential threats to their objectives, service improvements, and value for money.

The Essence of Assurance

At its core, assurance is about confidence. It’s about management having faith in the design, application, and effectiveness of the controls in place to manage risk within their business areas. The ultimate goal is to ensure these controls are the right ones for managing principal risks, achieving compliance with standards, and operating effectively. This assurance activity is the bedrock of the annual governance statement and drives audit planning and reporting.

The RCF can be used to structure assurance, bringing cohesion to the activity undertaken. It doesn’t dictate how organisations should design and operate their assurance activities but provides a flexible approach informed by relevant standards, guidance, and good practice.

Types of Requirements Meriting Assurance

The RCF helps structure existing business requirements that need to be addressed in the assurance mapping. These requirements generally fall under one of the following categories:

1. Functional Standards: These are the primary reference documents for improved and consistent ways of working. They help accounting officers fulfil their duties and are drivers of coherence, consistency, and continuous improvement.
2. Other Central Government guidance, codes of conduct, procedures: These can include mandatory and/or non-mandatory components and need to be given equal importance in assurance mapping and delivery.
3. Additional requirements local to the organisation: These are requirements set by organisational leaders for use within their organisation. They are not requirements from central government but need to be given appropriate attention in assurance mapping and delivery.

The RCF Assurance Tool

The Risk Centre of Excellence team (RCoE) has created a tool that provides various levels of assurance questions for assessing adherence with the items underpinning the categories and components in the RCF. The tool is designed to assist assurance teams and practitioners in understanding the scope of existing requirements rather than supplying a definitive list of questions. It’s a ‘guiding hand’ through management assurance processes leading to the annual governance statement, and in doing so, also assists audit planning and reporting.

Assurance Mapping

Assurance mapping is a mechanism for linking assurance from various sources to the risks that threaten the achievement of an organisation’s outcomes and objectives. It ensures the appropriate nature, coverage, and depth of assurance being planned, which typically relates directly to the degree of confidence organisations can have in their control environment. Effective and efficient assurance mapping helps improve the effectiveness and efficiency of risk management more broadly.

There are different approaches to assurance mapping in use across government, and the RCF does not set a preferred approach for this activity. It’s for accounting officers to decide what works best for their organisation. The RCF, however, can be a useful way to bring common language to assurance activity.

Regardless of the approach to mapping adopted by organisations, the following steps/process have been shown to be useful

1. Start with the most strategically important aspects.
2. Leverage existing risk and control information.
3. Address the effectiveness and efficiency of the planned assurance.
4. Undertake lots of engagement to explain the approach/process and its importance.
5. State what good controls look like and the quality of evidence required.
6. Keep questions relevant and at a high level.
7. Review and update each year as things do change.
8. Use colour coding and other visualisation techniques.
9. Build good relationships with Subject Matter Experts (SMEs).
10. Seek an optimum mix of assurance.
11. Ensure assurance is manageable and suitable for the nature, scale, and complexity of the operations being reviewed.

In summary, assurance is a crucial part of the RCF, providing organisations with the confidence they need to manage their principal risks effectively. It’s a flexible approach that can be tailored to the specific needs and requirements of each organisation, helping them to achieve their objectives and deliver value for money.

Roles and Responsibilities

Board

The board of a public sector organisation is the strategic heart of risk management. They are responsible for:

• Leading the assessment and management of risk, taking a strategic view of risks in the organisation.
• Ensuring clear account-abilities for managing risks and equipping officials with the relevant skills and guidance.
• Determining the organisation’s “risk appetite” — the level of risk they are willing to accept to achieve their objectives.
• Ensuring that planning and decision-making reflect this risk appetite.
• Using horizon scanning to identify emerging sources of uncertainty, threats and trends.
• Assessing compliance with the Corporate Governance Code.

Accounting Officer

The accounting officer, supported by the Audit and Risk Assurance Committee, plays a crucial role in embedding the desired risk culture within the organisation. Their responsibilities include:

• Periodically assessing whether the organisational values, leadership style, and human resource policies support the desired risk culture.
• Establishing the organisation’s overall approach to risk management.
• Ensuring the design and systematic implementation of policies, procedures and practices for risk identification, assessment, treatment, monitoring and reporting.
• Demonstrating leadership and articulating their continual commitment to risk management.

Audit and Risk Assurance Committee

The Audit and Risk Assurance Committee supports the board in leading the assessment and management of risk. They should:

• Understand the organisation’s business strategy, operating environment and the associated risks.
• Discuss with the board its policies, attitude to and appetite for risk.
• Critically challenge and review the risk management framework.
• Obtain assurance on risks across the organisational group.

The Three Lines Model

The ‘Three Lines Model’ is a straightforward yet effective representation of how to delegate and coordinate risk management roles and responsibilities within an organisation. It’s not a rigid blueprint or organisational design, but rather a flexible model that can be implemented to support the Risk Management Framework (RCF). The roles within each ‘line’ may vary and operate differently depending on the organisation.

• First Line: Management Control and Internal Control Measures

The first line of defence is management. They are the primary owners of risk, responsible for identifying, assessing, and managing risks that can either facilitate or hinder the achievement of an organisation’s objectives. They ‘own’ the risks and are responsible for executing internal controls on a day-to-day basis and implementing corrective actions to address deficiencies.

Managers design, operate, and improve processes, policies, procedures, activities, devices, practices, or other actions that maintain and/or modify risks. They supervise effective execution and ensure compliance, highlighting control breakdowns, variations in or inadequate processes, and unexpected events.

• Second Line: Functions that Oversee or Specialise in Risk Management

The second line of defence consists of functions and activities that monitor and facilitate the implementation of effective risk management practices. They set the boundaries for delivery through the definition of standards, policies, procedures, and guidance. They assist management in developing controls in line with good practice, monitor compliance and effectiveness, and alert senior management to emerging issues and changing risk scenarios.

Assurance Teams, typically from the second line, lead and coordinate the assurance mapping and delivery activity. They refine wording of questions to be used locally each year, set the rating mechanisms and formatting requirements for assurance findings, and pursue areas requiring improvements.

• Third Line: Internal Audit

The third line of defence is the internal audit function. It provides an objective evaluation of the adequacy and effectiveness of the framework of governance, risk management, and control. Internal audit provides proactive evaluation of controls proposed by management and advises on potential control strategies and the design of controls.

• External Assurance

Beyond the organisation’s own risk management framework and The Three Lines Model, there are other sources of assurance that support an organisation’s understanding and assessment of its management of risks and its operation of controls. These include external auditors, value for money studies, independent expert assurance reviews of major government projects, and other sources of independent external assurance.

• Coordination, Cooperation, and Communication

The model’s roles share a common objective: to help the organisation achieve its objectives with effective management of risks. They often deal with the same risk and control issues, and careful coordination is necessary to avoid unnecessary duplication of efforts while ensuring all significant risks are addressed appropriately.

The accounting officer and the board should clearly communicate their expectation that information be shared and activities coordinated across each of the ‘lines’ where this does not diminish the effectiveness or objectivity of any of those involved. It’s likely to be helpful to adopt a common ‘language’ or set of definitions across the ‘lines model’ to ease understanding.

In summary, the ‘Three Lines Model’ provides a simple and effective way to delegate and coordinate risk management roles and responsibilities within an organisation. It’s a flexible structure that can be implemented to support the Risk Management Framework (RCF), helping organisations to achieve their objectives with effective management of risks.

Driving Assurance

The RCF provides guided ‘Assurance Questions’ to provide a structured approach to assessing the application of risk management principles. These questions are designed to support the efficient and effective operation of the risk management framework. While they are not exhaustive and may not apply in all situations, they can highlight areas that might need improvement.

A. Governance and Leadership

B. Integration

C. Collaboration and Best Information

D. Risk Management Processes

E. Continual Improvement

Risk Categories

The Orange Book identifies the following Risk Categories, that help collate and manage like and related items. This labelling provides consistency with other Governance and Assurance activities, and aligns to responsibilities.

Supporting Annexes

The Orange Book is complemented by a series of annexes that provide additional guidance and insights into specific areas of risk management. These documents serve as valuable resources for those looking to delve deeper into particular aspects of the subject. Below is a summary of each annex, along with links to access the full documents:

1. Portfolio Risk Management Guidance Orange Book Annex (PDF, 1.91 MB, 24 pages)

• This annex offers guidance on managing risks across a portfolio of projects or initiatives. It’s a comprehensive resource for those looking to understand and apply portfolio risk management principles within the public sector.

2. Risk Appetite Guidance Note (PDF, 722 KB, 22 pages)

• Understanding and defining an organisation’s risk appetite is crucial in strategic planning and decision-making. This guidance note provides insights into determining the level of risk an organisation is willing to accept in pursuit of its objectives.

3. Risk Management Skills and Capabilities Framework (PDF, 3.37 MB, 22 pages)

• This framework outlines the essential skills and capabilities required for effective risk management. It’s a valuable tool for human resource professionals, risk practitioners, and leaders looking to develop and assess risk management competencies within their teams.

4. Good Practice Guide: Risk Reporting (PDF, 637 KB, 20 pages)

• Effective risk reporting is vital for transparency and informed decision-making. This guide offers best practices and practical tips for creating clear, informative, and useful risk reports.

These annexes enrich the core content of the Orange Book, providing specialised guidance and tools to support public sector organisations in their risk management journey.

Conclusion

Navigating the complex world of risk management in the public sector is no small feat. The Orange Book serves as a compass, guiding public sector organisations through the multifaceted landscape of risk. Here’s a recap of the key areas and main takeaways from this guide:

• Principles and Supporting Principles: From governance and leadership to continual improvement, the Orange Book lays out a comprehensive set of principles and supporting guidelines. These are the building blocks for effective risk management.
• Roles and Responsibilities: The Orange Book delineates the specific roles and responsibilities of key players such as the board, accounting officer, and Audit and Risk Assurance Committee. It’s a roadmap for who does what, how, and when.
• Risk Control Framework (RCF): The RCF is the tool that can be applied across various scenarios, providing structure and assurance in managing risks.
• Governance and Adaptation: Emphasising the need for regular review and adaptation, the Orange Book encourages organisations to stay agile and responsive to the ever-changing risk environment.
• Collaboration and Improvement: The Orange Book promotes a culture of collaboration, learning, and continual improvement, ensuring that risk management is a dynamic and evolving process.

The Orange Book is more than a manual; it’s a philosophy that integrates risk management into the very fabric of public service delivery. It’s about making informed decisions, planning strategically, and responding effectively to challenges. It’s about being realistic, transparent, and accountable. It’s about achieving better outcomes with the resources at hand.

Whether you’re a seasoned risk practitioner or new to the field, the Orange Book offers valuable insights and practical guidance. It’s a resource that empowers public sector organisations to sail confidently through calm and stormy waters alike, steering towards success. So embrace the principles, engage with the practices, and embark on a journey towards more effective and efficient risk management. The Orange Book is your trusted guide, and the horizon is full of possibilities.

Recommended References

1. BS ISO 31000:2018(E) — Risk management — Guidelines
2. Corporate governance code for central government departments
3. Managing Public Money — Section 4 Governance and Management
4. Managing Public Money — Annex 4.3 Risk
5. Budget 2018: 2.18 The Balance Sheet Review and Getting smart about intellectual property and intangible assets
6. Central Government Guidance on Appraisal and Evaluation — The Green Book
7. The Future Toolkit provides guidance on horizon scanning and outlines how scenarios can be used to further investigate emerging risks
8. The National Security Risk Assessment (NSRA) : the Government’s principal tool for identifying and assessing risks to the UK over the medium-term. It is owned by the Resilience Directorate in the Economic and Domestic Secretariat of the Cabinet Office.
9. The Principles of Managing Risks to the Public
10. ISO 31010:2009 is a supporting standard for BS ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment
11. Guidance on producing quality analysis for government — The Aqua Book
12. The Outsourcing Playbook — Central Government Guidance on Outsourcing Decisions and Contracting
13. Guidance for evaluation — The Magenta Book
14. HM Treasury Audit and Risk Assurance Committee Handbook, March 2016
15. Public Sector Internal Audit Standards
16. International Standards on Auditing — ISA 315 and 610
17. HMT Assurance Frameworks 2012

• For more Blogs on Governance, Risk and Compliance : https://www.riskmanage.io/blogs/
• ‘Security’ and Architecture : https://www.cloud-dog.com/blogs/
• Transformation, Sourcing : https://www.viewdeck.io/blogs/
• Twitter: https://twitter.com/garyseymour
• Linkedin: https://www.linkedin.com/in/gary-robert-seymour/